AdThief Malware Infects Over 75,000 Jailbroken iOS Devices

If you have a jailbroken iDevice such as an iPhone, iPod, or iPad and have installed or downloaded any pirated modifications from any pirated repositories, there is a substantial chance that you may be infected with ‘AdThief‘, a new Chinese ad stealing malware that was recorded to be on over 75,000 iOS devices.

In a recent research paper (PDF) published on Virus Bulletin, security researcher, Axelle Apvrille, overviews the malware organically known as “spad” which was first recorded by another researcher, Claud Xia, in early March of this year.

As of now, AdThief or Spad has hijacked an estimated 22 million advertisement displays, stealing revenues from iOS developers in the jailbreak community, Axelle Apvrille reported.

The way AdThief works is by infecting the jailbroken device by disguising itself as a Cydia Substrate extension, which is only present on jailbroken devices running iOS, once the Cydia package has completed downloading it will continue to install itself on the device.

Once AdThief essentially hijacks the device, the cybercriminals begin displaying their own advertisements on your iOS device, redirecting all possible revenue to them. Applications downloaded through Apple’s app store to the device that run advertisements will display the theifs advertisements, rather than the original developers.

“In other words, each time you view or click an ad on an infected device, the corresponding revenue goes to the attacker, and not to the developer or the legitimate affiliate,” Apvrille writes. “[AdThief] hooks various advertisement functions and modifies the developer ID (a.k.a. promotion ID) to match that of the attacker.”

AdThief has targeted 15 extremely popular mobile advertising networks which include Google AdMob and Mobile Ads, AdWhirl, MdotM and MobClick. Four of which are United States based firms, two of which are based in India, and the remainder reside in China.

Researchers were able to identify the targets as the hackers mistakenly forgot to remove identifying information from the code. Apvrille investigated further and located the developer who ran a blog about various Android hacks, a Github and inactive Twitter account. He then located a Chinese user named Zerofile, or Rover12421 who admitted to writing the AdThief malware but denied pushing it forward.

According to the researchers, the number of infected iOS devices is small compared to the number of users who have an iOS device. In hindsight, the attacker is likely to gain significant revenue with an estimated hijacking of 22 million advertisements.

One significant piece of information about the malware is there is no way to know if the iOS device is infected with AdThief. This is because it runs in the background and is nearly impossible to detect. Users who are not jailbroken do not need to worry and are safeguarded from the malware.

As jailbroken applications open many doors, users need to be careful which repositories they download and trust. Always be weary when adding new trusted sources, and always be suspicious when installing ‘free’ applications or tweaks.